Research from the University of Washington this week suggests a demonstrable decline in URLs hosting drive-by and downloadable executables containing malicious spyware. That's not a decline in the amount of spyware loose on the Internet, per se, but an overall decrease in sites hosting malicious content. This is a promising statistic during a week that included the first-ever meeting of the Anti-Spyware Coalition in Washington, D.C., right? Well, two new reports appeared to contradict the University of Washington study, with Websense stating that 15 million Web sites now host malicious code, while antispyware vendor Webroot stated that 2005 was the biggest growth year for spyware in terms of dollar losses. So who's right? How about a little of each.
Skeptical reader
First, I'm inclined to side with academic white papers, if only because they tend to offer greater objectivity and presumably less vendor spin or vendor bias. No one is suggesting that the University of Washington study is flawed. What the university study did was crawl the Web using automated tools and count the number of infections that occurred as a result of visiting various Web sites. To make their list resemble the real world, researchers relied upon keyword search data. Here the researchers, Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy, started with a hypothesis--if they crawl the Internet, they will get a sense of how extensive the threat of spyware is--then they set out to prove or disprove that statement.
 |
I'm inclined to side with academic white papers, if only because they tend to offer greater objectivity and presumably less vendor spin or vendor bias.
 |
|
On the other hand, Websense and Webroot both make money from security-related issues, so I doubt we'll see a headline that says, "Webroot declares 'Mission accomplished: spyware defeated'" anytime soon. But I'm not necessarily discounting these studies, either. Both Websense and Webroot are reporting information collected by their networks of customers worldwide. That's valuable on its own: it's a snapshot of the threats those customers experience.
Webroot, like the University of Washington, used its own Internet crawler, affectionately known as Phineas, which searches for new spyware lurking in the hinterlands of the Internet. Websense also used an automated system for searching the Web. In truth, both the academic and corporate studies contain inherent flaws--for example, neither surveys the entire Internet, only large "representative samples" of it. The Internet is a constantly moving target. Yet given the different means of collection and methodologies for analysis between these reports, I still think there's useful data in all these studies. Let's have a look.
Mining the Websense and Webroot data
With more than 10 years of data-mining experience, Websense reports that within the last year, it saw the number of spyware-related Web sites jump 170 percent, from 48,000 in February 2005 to 130,000 sites today. Webroot also reports that "for enterprises, between Q3 and Q4 2005, the number of Trojan horse infections increased 9 percent, and from Q2 to Q4 2005, the number of system monitors, such as keystroke loggers, increased 50 percent consecutively each quarter."
The Websense and Webroot reports also looked at online fraud, phishing, and other scams, reporting on the business losses that these caused during 2005. The reports don't necessarily reflect how you and I experience spyware on our home PCs. For that, I think the University of Washington study is much more valuable, reporting on specific categories of Internet sites and the behaviors of visitors to those sites. That may not be as glamorous as reporting on the roughly $62-billion-per-year cost (according to Webroot) of computer-related crime to U.S. businesses, but I think the behavioral data is more meaningful in the long run.
Researchers find hostile hoods on the Net
Researchers at the University of Washington looked at specific categories of Web sites or isolated neighborhoods where you are more likely to encounter a drive-by download of harmful executables. Want to guess which are the most dangerous? Games and music, the bastions of idle youth, along with celebrity Web sites (think tabloid sites, not personal Web sites), appear to host the most downloadable executables that are likely to include spyware. (For full disclosure purposes, the University of Washington study specifically mentions CNET Download.com, citing a tremendous decrease in spyware downloads between May and October 2005, a period when Download.com announced that it would no longer host freeware or shareware known to contain spyware.) In contrast, kids' sites and news sites were least likely to host downloadable executables that could include spyware. But if you do have to surf, say, celebrity Web sites, the researchers suggest good surfing habits may limit your exposure.
Good surf habits do pay off
The researchers looked at two specific Internet browsers and the behavior of people using them. If I have to use Internet Explorer, for example, I have my IE security settings configured to prompt me with every ActiveX and JavaScript download. I find that almost all of these "secondary" downloads are unnecessary to view a Web page properly, so I'm in the habit of saying no to each prompt. It's a pain having to vet every ActiveX-laden Web site I visit within IE (which is one reason I switched to Firefox), but it's also become second nature for me to decline ActiveX and JavaScript downloads. Now there's evidence to suggest that this is a good surfing habit.
Researchers set their IE browser to simulate the user who always hits yes to download ActiveX components from a Web page. Not surprisingly, users allowing random ActiveX and JavaScript downloads were more likely than others to end up with spyware. In a second test where users said no to ActiveX and JavaScript components, users were still vulnerable but considerably less so. Does switching away from Microsoft Internet Explorer help? Yes, the researchers found. The study looked at Mozilla Firefox and again compared users who agreed to component downloads as opposed to those who declined them. Again, those who said yes were most likely to encounter spyware. I should add that there are fewer spyware apps known to infect Firefox, in part, because Firefox doesn't use ActiveX technology--all the more reason to consider alternatives to Internet Explorer.
Stopping spyware like viruses
In recent conversations with various antispyware researchers, I've been struck by how closely the antispyware community mirrors the antivirus community. Indeed, most of the effective antispyware apps available today use signature file updates and heuristics--exactly the same recipe that antivirus vendors use. The University of Washington study cites signature file updates as one of the more effective ways to limit or control spyware infestations, with heuristics stopping the "unknown" new threats.
|
It does no one any good if an antispyware company has a database of 10,000 spyware applets yet refuses to share that information with independent researchers and other vendors.
|
|
So it's not surprising to see the major antivirus vendors--Symantec, McAfee, and Trend Micro--starting to bundle their antispyware solutions with their 2006 antivirus apps or to see these three companies working together to create common testing standards and, perhaps, an agreed-upon list of known spyware--similar to the Wild List of all known viruses and worms. Really, it does no one any good if an antispyware company has a database of 10,000 spyware applets yet refuses to share that information with independent researchers and other vendors.
And look for antispyware protection to go mainstream later this year when Microsoft ships Windows Vista with Windows Defender (formerly Microsoft AntiSpyware) bundled within. That, and the availability of free versions of Ad-aware, Spybot Search and Destroy, and Tenebril SpyCatcher Express, leaves no reason why your home PC should be infested with spyware. None. By limiting the opportunity to infect and with vendors starting to share data and build a consensus as to what counts as an unwanted program, we should be able to say that spyware really is on the decline next year.
Up or down? Are you sensing that the number of spyware infestations is increasing or starting to go down? Talk back to me.
